Bug#568397: linux-image-2.6.32-trunk-amd64: null pointer dereference on USB CDC ACM device with no endpoints on control interface

To: Simon Richter <sjr@debian.org>, 568397@bugs.debian.org
Cc: Oliver Neukum <oliver@neukum.name>, linux-usb@vger.kernel.org
Subject: Bug#568397: linux-image-2.6.32-trunk-amd64: null pointer dereference on USB CDC ACM device with no endpoints on control interface
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 4 Feb 2010 22:44:41 +0000
Message-id: <20100204224440.GA21665@decadent.org.uk>
Reply-to: Ben Hutchings <ben@decadent.org.uk>, 568397@bugs.debian.org
In-reply-to: <20100204145132.2552.22781.reportbug@richter>
References: <20100204145132.2552.22781.reportbug@richter>

On Thu, Feb 04, 2010 at 03:51:32PM +0100, Simon Richter wrote:
> Package: linux-2.6
> Version: 2.6.32-5
> Severity: normal
> 
> Hi,
> 
> while playing with an USB device, I found that the kernel dereferences a
> NULL pointer if a CDC ACM device declares to have no endpoints 
> associated with the CDC control interface. I believe the validity check
> should be more stringent here.

I agree.  Let's see what upstream has to say.

Ben.

> The relevant bits of code look like this:
> 
>         epctrl = &control_interface->cur_altsetting->endpoint[0].desc;
>         epread = &data_interface->cur_altsetting->endpoint[0].desc;
>         epwrite = &data_interface->cur_altsetting->endpoint[1].desc;
> 
> No further verification except for swapped data endpoints is performed
> afterwards.
> 
>    Simon
> 
> -- Package-specific info:
> ** Version:
> Linux version 2.6.32-trunk-amd64 (Debian 2.6.32-5) (ben@decadent.org.uk) (gcc version 4.3.4 (Debian 4.3.4-6) ) #1 SMP Sun Jan 10 22:40:40 UTC 2010
> 
> ** Command line:
> BOOT_IMAGE=/vmlinuz-2.6.32-trunk-amd64 root=/dev/mapper/richter-root ro quiet
> 
> ** Not tainted
> 
> ** Kernel log:
> [11278.817700] cdc_acm 2-3:1.0: This device cannot do calls on its own. It is not a modem.
> [11278.817743] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
> [11278.817746] IP: [<ffffffffa02b9ca9>] acm_probe+0x4d6/0xcb1 [cdc_acm]
> [11278.817756] PGD 600d1067 PUD 60086067 PMD 0 
> [11278.817760] Oops: 0000 [#1] SMP 
> [11278.817762] last sysfs file: /sys/devices/pci0000:00/0000:00:12.0/usb2/2-3/manufacturer
> [11278.817765] CPU 0 
> [11278.817767] Modules linked in: radeon ttm drm_kms_helper drm agpgart i2c_algo_bit ppdev lp sco bridge stp rfcomm bnep l2cap crc16 powernow_k8 cpufreq_powersave cpufreq_userspace cpufreq_conservative cpufreq_stats binfmt_misc deflate zlib_deflat
> ellia serpent blowfish cast5 des_generic cbc cryptd aes_x86_64 aes_generic xcbc rmd160 sha256_generic sha1_generic hmac crypto_null af_key fuse nfsd exportfs nfs lockd fscache nfs_acl auth_rpcgss sunrpc nls_utf8 cifs hwmon_vid loop dm_crypt snd_hd
> altek snd_hda_intel snd_seq_midi snd_hda_codec snd_rawmidi snd_seq_midi_event snd_hwdep snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer usbhid pl2303 snd btusb shpchp cdc_acm i2c_piix4 hid usbserial parport_pc edac_core k8temp e
> h soundcore parport i2c_core processor rfkill snd_page_alloc pcspkr evdev ext3 jbd mbcache dm_mod ide_cd_mod cdrom sd_mod crc_t10dif ata_generic ide_pci_gener
> c ahci ohci_hcd ehci_hcd atiixp r8169 libata 8139too 8139cp mii floppy button ide_core usbcore nls_base scsi_mod thermal fan thermal_sys [last unloaded: scsi_wait_scan]
> [11278.817841] Pid: 309, comm: khubd Not tainted 2.6.32-trunk-amd64 #1 GA-MA74GM-S2H
> [11278.817843] RIP: 0010:[<ffffffffa02b9ca9>]  [<ffffffffa02b9ca9>] acm_probe+0x4d6/0xcb1 [cdc_acm]
> [11278.817849] RSP: 0018:ffff88006cea1930  EFLAGS: 00010293
> [11278.817851] RAX: 0000000000000000 RBX: ffff880052c08800 RCX: 0000000000000000
> [11278.817853] RDX: 0000000000000000 RSI: 00000000000080d0 RDI: ffff8800376ea000
> [11278.817856] RBP: ffff8800376e9000 R08: 000000000000000c R09: ffff880062ae9888
> [11278.817858] R10: 000080d0000000d0 R11: 00000000000186a0 R12: ffff880062ae9888
> [11278.817860] R13: ffff880052c08000 R14: 0000000000000000 R15: ffff880052c08000
> [11278.817863] FS:  00007f4dc9bf5910(0000) GS:ffff880001800000(0000) knlGS:0000000000000000
> [11278.817866] CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
> [11278.817868] CR2: 0000000000000004 CR3: 0000000060157000 CR4: 00000000000006f0
> [11278.817870] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [11278.817873] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [11278.817875] Process khubd (pid: 309, threadinfo ffff88006cea0000, task ffff88006cdff810)
> [11278.817877] Stack:
> [11278.817879]  ffffffff813c7d84 ffff88006f5329a0 0000000000000000 ffffffff810fcb34
> [11278.817882] <0> ffff880060130090 ffffffff8113cebf 0000000000000000 ffff880052c08800
> [11278.817886] <0> 0000000000000000 ffff880062ae9840 ffff880060130000 ffffffff00000000
> [11278.817890] Call Trace:
> [11278.817897]  [<ffffffff810fcb34>] ? iput+0x27/0x60
> [11278.817902]  [<ffffffff8113cebf>] ? sysfs_addrm_finish+0x66/0x204
> [11278.817914]  [<ffffffffa005975a>] ? usb_match_one_id+0x23/0x7f [usbcore]
> [11278.817924]  [<ffffffffa005a6dd>] ? usb_probe_interface+0x107/0x157 [usbcore]
> [11278.817930]  [<ffffffff8120e0e8>] ? driver_probe_device+0xa3/0x14b
> [11278.817934]  [<ffffffff8120e1ff>] ? __device_attach+0x0/0x39
> [11278.817937]  [<ffffffff8120d713>] ? bus_for_each_drv+0x46/0x77
> [11278.817940]  [<ffffffff8120e2bb>] ? device_attach+0x60/0x7e
> [11278.817942]  [<ffffffff8120d58b>] ? bus_probe_device+0x1f/0x38
> [11278.817948]  [<ffffffff8120c258>] ? device_add+0x3a2/0x537
> [11278.817956]  [<ffffffffa005942a>] ? usb_set_configuration+0x589/0x5f2 [usbcore]
> [11278.817965]  [<ffffffffa0060dac>] ? generic_probe+0x61/0xa9 [usbcore]
> [11278.817969]  [<ffffffff8120e0e8>] ? driver_probe_device+0xa3/0x14b
> [11278.817972]  [<ffffffff8120e1ff>] ? __device_attach+0x0/0x39
> [11278.817975]  [<ffffffff8120d713>] ? bus_for_each_drv+0x46/0x77
> [11278.817978]  [<ffffffff8120e2bb>] ? device_attach+0x60/0x7e
> [11278.817981]  [<ffffffff8120d58b>] ? bus_probe_device+0x1f/0x38
> [11278.817986]  [<ffffffff8120c258>] ? device_add+0x3a2/0x537
> [11278.817993]  [<ffffffffa00531ec>] ? usb_new_device+0x125/0x186 [usbcore]
> [11278.818001]  [<ffffffffa00548ec>] ? hub_thread+0xc19/0x1175 [usbcore]
> [11278.818006]  [<ffffffff81064aae>] ? autoremove_wake_function+0x0/0x2e
> [11278.818014]  [<ffffffffa0053cd3>] ? hub_thread+0x0/0x1175 [usbcore]
> [11278.818017]  [<ffffffff810647e1>] ? kthread+0x79/0x81
> [11278.818021]  [<ffffffff81011b6a>] ? child_rip+0xa/0x20
> [11278.818024]  [<ffffffff81064768>] ? kthread+0x0/0x81
> [11278.818026]  [<ffffffff81011b60>] ? child_rip+0x0/0x20
> [11278.818028] Code: 33 9c 2b a0 ff 13 48 83 c3 08 48 83 3b 00 eb d8 48 85 ed b8 f4 ff ff ff 0f 84 ab 07 00 00 48 8b 54 24 40 31 c0 48 83 7c 24 68 02 <0f> b7 52 04 0f 95 c0 ff c0 89 44 24 60 89 54 24 5c 41 0f b7 44 
> [11278.818054] RIP  [<ffffffffa02b9ca9>] acm_probe+0x4d6/0xcb1 [cdc_acm]
> [11278.818058]  RSP <ffff88006cea1930>
> [11278.818060] CR2: 0000000000000004
> [11278.818062] ---[ end trace ba11069b8b4d1dae ]---
[...]

-- 
Ben Hutchings
In a hierarchy, every employee tends to rise to his level of incompetence.

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Bug#568397: linux-image-2.6.32-trunk-amd64: null pointer dereference on USB CDC ACM device with no endpoints on control interface
  - From: Simon Richter <sjr@debian.org>

Prev by Date: Processed: bug 568397 is forwarded to linux-usb@vger.kernel.org
Next by Date: Bug#516968: closed by maximilian attems <max@stro.at> (Re: SATA drive usage)
Previous by thread: Bug#568397: linux-image-2.6.32-trunk-amd64: null pointer dereference on USB CDC ACM device with no endpoints on control interface
Next by thread: Bug#516968: closed by maximilian attems <max@stro.at> (Re: SATA drive usage)
Index(es):
- Date
- Thread